I want to export the Active Directory permissions using Get-ADPermission Command let as follows:
$orgunit = "Ou=Groups,dc=example,dc=edu"
$filename="Groups-Permissions.csv"
Get-AdObject -Filter 'Name -like "*"' -SearchBase $orgunit -SearchScope "Subtree" -Properties CanonicalName | Select @{Name="Identity";Expression={($_.CanonicalName)}} | Get-ADPermission | Select @{ Name='AccessRights';Expression={[string]::join(",", ($_.AccessRights))}},@{ Name='ExtendedRights';Expression={[string]::join(",", ($_.ExtendedRights))}},@{ Name='ChildObjectTypes';Expression={[string]::join(",", ($_.ChildObjectTypes))}},InheritedObjectType,@{ Name='Properties';Expression={[string]::join(",", ($_.Properties))}},Deny,InheritanceType,User,Identity,IsInherited,IsValid | Export-csv $filename
In the above command let I have used the following command lets to extract the ad permissions from ou=groups container:
1. Get-ADObject
2. Select
3. Get-ADPermission
4. Select
5. Export-CSV
1. Get-ADObject
Above command lets being used to retrieve all the objects under the ou=groups container.Get-AdObject -Filter 'Name -like "*"' -SearchBase $orgunit -SearchScope "Subtree" -Properties CanonicalName
I have selected the property called CanonicalName, It contains the Identity of the AD Object. For example:
DistinguishedName: ou=Groups,dc=example,dc=edu
CanonicalName : example.edu/Groups
2. Select
Select @{Name="Identity";Expression={($_.CanonicalName)}}Mapping the CanonicalName to Identity attribute because Get-AdPermission command lets expecting the Identity value to retrieve the AD Permissions from the object.
3. Get-ADPermission
Retrieving all the permission in the container based on the Identity attribute from the step 2.
Get-ADPermission
4. Select
It is being used to select the attributes from the Get-ADPermission command let object.
Select @{ Name='AccessRights';Expression={[string]::join(",", ($_.AccessRights))}},@{ Name='ExtendedRights';Expression={[string]::join(",", ($_.ExtendedRights))}},@{ Name='ChildObjectTypes';Expression={[string]::join(",", ($_.ChildObjectTypes))}},InheritedObjectType,@{ Name='Properties';Expression={[string]::join(",", ($_.Properties))}},Deny,InheritanceType,User,Identity,IsInherited,IsValid
5. Export-CSV
Exporting the selected attributes to a csv file:
Export-csv $filename